I have a network problem moving from our old ISP (ISPo) to the new ISP
(ISPn). Both ISPn and ISPo are active while we transition to ISPn.
Current config:
---------------------- ---------------
| hisoka [em0] o-----------------o ISPo |
| (firewall) | ---------------
| [em1] o-------------+
| | | ----------------
| | +--o SWITCH o------+
| [em4] o----------+ ---------------- |
| (69.67.212.126) | | |
| (69.67.212.120/32) | | ------------- |
| | +----o ISPn | |
| [em5] o------+ ------------- |
| (vlandev interface) | | |
| | | |
| [vlan200] o--+ +------+ |
| (10.123.40.6) | | | |
---------------------- +------+ | |
| | |
-o---o----- |
| SWITCH | |
-o--------- |
| |
| --------------------- |
---------------------- +------+ | hammer | |
| killua | | | (firewall) [fxp4] o-----+
| [bge0] o--+ | (69.67.212.94) |
| (10.123.40.2) | | (69.67.212.74/32) |
---------------------- ---------------------
hisoka:/# ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:a6:32:5d
priority: 0
media: Ethernet autoselect (10baseT half-duplex)
status: active
inet6 fe80::215:17ff:fea6:325d%em0 prefixlen 64 scopeid 0x2
hisoka:/# ifconfig em1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:a6:32:5c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::215:17ff:fea6:325c%em1 prefixlen 64 scopeid 0x3
hisoka:/# ifconfig em4
em4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:14:4f:7c:fd:82
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX half-duplex)
status: active
inet 69.67.212.126 netmask 0xffffffe0 broadcast 69.67.212.127
inet6 fe80::214:4fff:fe7c:fd82%em4 prefixlen 64 scopeid 0x7
inet 69.67.212.120 netmask 0xffffffff broadcast 69.67.212.120
hisoka:/# ifconfig vlan200
vlan200: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:14:4f:7c:fd:83
priority: 0
vlan: 200 priority: 0 parent interface: em5
groups: vlan
inet6 fe80::214:4fff:fe7c:fd83%vlan200 prefixlen 64 scopeid 0xb
inet 10.123.40.6 netmask 0xfffffff8 broadcast 10.123.40.7
hisoka:/# cat /etc/bridgename.bridge0
add em4
add em0
add em1
up
hisoka:/# brconfig
bridge0: flags=41<UP,RUNNING>
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
em1 flags=3<LEARNING,DISCOVER>
port 3 ifpriority 0 ifcost 0
em0 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
em4 flags=3<LEARNING,DISCOVER>
port 7 ifpriority 0 ifcost 0
hisoka:/# netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 69.67.212.97 UGS 9 99113 - 8 em4
10.123.40.0/29 link#11 UC 2 0 - 4 vlan200
10.123.40.2 00:e0:81:2a:b5:1a UHLc 2 3166 - 4 vlan200
10.123.40.4 00:1f:9e:7d:93:39 UHLc 1 13239 - 4 vlan200
69.67.212.96/27 link#7 UC 2 0 - 4 em4
69.67.212.97 00:08:e3:b4:b8:e0 UHLc 1 2 - 4 em4
69.67.212.120 127.0.0.1 UGHS 0 1 33160 8 lo0
69.67.212.120/32 link#7 UC 0 0 - 4 em4
69.67.212.126 00:14:4f:7c:fd:82 UHLc 0 4 - 4 lo0
127/8 127.0.0.1 UGRS 0 0 33160 8 lo0
127.0.0.1 127.0.0.1 UH 2 405 33160 4 lo0
147.243.6.29 10.123.40.4 UGHS 0 17 - 8 vlan200
224/4 127.0.0.1 URS 0 0 33160 8 lo0
hammer:/# ifconfig fxp4
fxp4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:07:e9:5d:62:f8
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 69.67.212.94 netmask 0xffffffe0 broadcast 69.67.212.95
inet6 fe80::207:e9ff:fe5d:62f8%fxp4 prefixlen 64 scopeid 0x6
inet 67.95.107.117 netmask 0xffffffe0 broadcast 67.95.107.127
inet 67.95.107.116 netmask 0xffffffff broadcast 67.95.107.116
inet 67.95.107.114 netmask 0xffffffff broadcast 67.95.107.114
inet 67.95.107.104 netmask 0xffffffff broadcast 67.95.107.104
inet 67.95.107.105 netmask 0xffffffff broadcast 67.95.107.105
inet 67.95.107.106 netmask 0xffffffff broadcast 67.95.107.106
inet 67.95.107.107 netmask 0xffffffff broadcast 67.95.107.107
inet 67.95.107.108 netmask 0xffffffff broadcast 67.95.107.108
inet 69.67.212.79 netmask 0xffffffff broadcast 69.67.212.79
inet 69.67.212.77 netmask 0xffffffff broadcast 69.67.212.77
inet 69.67.212.72 netmask 0xffffffff broadcast 69.67.212.72
inet 69.67.212.73 netmask 0xffffffff broadcast 69.67.212.73
inet 69.67.212.74 netmask 0xffffffff broadcast 69.67.212.74
inet 69.67.212.75 netmask 0xffffffff broadcast 69.67.212.75
inet 69.67.212.76 netmask 0xffffffff broadcast 69.67.212.76
killua:/# ping 69.67.212.94
PING 69.67.212.94 (69.67.212.94): 56 data bytes
[no response]
hisoka:/# tcpdump -n -e -ttt -i pflog0 host 69.67.212.94
tcpdump: listening on pflog0, link-type PFLOG
Mar 24 01:58:34.393743 rule 9/(match) pass in on vlan200: 10.123.40.2 >
69.67.212.94: icmp: echo request
Mar 24 01:58:34.393762 rule 1/(match) nat out on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
Mar 24 01:58:34.395040 rule 37/(match) pass in on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
Mar 24 01:58:34.395046 rule 41/(match) pass out on em1: 69.67.212.126 >
69.67.212.94: icmp: echo request
Mar 24 01:58:35.395232 rule 41/(match) pass out on em1: 69.67.212.126 >
69.67.212.94: icmp: echo request
...
Now, from killua, if I ping www.google.com, which works, the tcpdump
output from hisoka looks like this:
hisoka:/# tcpdump -n -e -ttt -i pflog0 host 74.125.95.147
tcpdump: listening on pflog0, link-type PFLOG
Mar 24 01:59:52.971187 rule 9/(match) pass in on vlan200: 10.123.40.2 >
74.125.95.147: icmp: echo request
Mar 24 01:59:52.971204 rule 1/(match) nat out on em4: 69.67.212.126 >
74.125.95.147: icmp: echo request
I've bridged em0, em1, and em4. When killua pings 69.67.212.94, I expect
to see:
killua (bge0) -> hisoka (vlan200) # hisoka's 10.123.40.6 is
# default route for killua
hisoka (vlan200) -> hisoka (em4)
hisoka (em4) -> ISPn (69.67.212.97)
ISPn (69.67.212.97) -> hammer (fxp4)
If I run tcpdump on hammer, I never see the ICMP ping request from
killua. But, I do see ICMP ping requests initiated from hisoka:
hisoka:/# ping 69.67.212.94
PING 69.67.212.94 (69.67.212.94): 56 data bytes
64 bytes from 69.67.212.94: icmp_seq=0 ttl=254 time=2.065 ms
64 bytes from 69.67.212.94: icmp_seq=1 ttl=254 time=1.803 ms
...
hisoka:/# tcpdump -n -e -ttt -i pflog0 host 69.67.212.94
tcpdump: listening on pflog0, link-type PFLOG
Mar 24 01:57:56.583750 rule 35/(match) pass out on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
Mar 24 01:57:56.584686 rule 37/(match) pass in on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
Any ideas? The following pflog output from above is peculiar. Why the
"pass in on em4" after "nat out on em4"? Because of the bridging?
Mar 24 01:58:34.393762 rule 1/(match) nat out on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
Mar 24 01:58:34.395040 rule 37/(match) pass in on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
--
albert chin (ch...@thewrittenword.com)
